Site Mobile Navigation

Facebook Vows to Fix a Flaw in Data Privacy

SAN FRANCISCO — When you sign up for Facebook, you enter into a bargain. You share personal information with the site, and Facebook agrees to obey your wishes when it comes to who can see what you post.

At the same time, you agree that Facebook can use that data to decide what ads to show you.

It is a complicated deal that many people enter into without perhaps fully understanding what will happen to their information. It also involves some trust — which is why any hint that Facebook may not be holding up its end of the bargain is sure to kick up plenty of controversy.

The latest challenge to that trust came on Monday, when Facebook acknowledged that some applications on its site, including the popular game FarmVille, had improperly shared identifying information about users, and in some cases their friends, with advertisers and Web tracking companies. The company said it was talking to application developers about how they handled personal information, and was looking at ways to prevent this from happening again.

Facebook’s acknowledgment came in response to an article in The Wall Street Journal that said several popular applications were passing a piece of data known as a user ID to outside companies, in violation of Facebook’s privacy policy.

Having a user ID allows someone to look up that user’s name and any data posted on that person’s public profile, like a college or favorite movies, but not information that the user had set to be visible only to friends.

Privacy advocates and technology experts were split on the significance of the issue.

“That is extremely serious,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online liberties group.

Mr. Eckersley said advertisers could use the user IDs to link individuals with information they had collected anonymously about them on the Web. “Facebook, perhaps inadvertently, is leaking the magic key to tracking you online,” he said.

At the same time, Mr. Eckersley said there was no evidence that anyone who had access to this data had actually misused it.

Zynga, the maker of FarmVille and other games on Facebook that have a combined 219 million users, did not respond to requests for comment.

Several technology pundits and bloggers minimized the issue, with some saying that credit card companies and magazines have access to far more detailed information about customers than any Facebook application.

Photo

Mark Zuckerberg, chief of Facebook, apologized to users for site settings that they found too complicated to understand.Credit
Justin Sullivan/Getty Images

Facebook also sought to play down the importance of the leak, saying the sending of user IDs appeared to have been inadvertent. “Press reports have exaggerated the implications of sharing” a user ID, Mike Vernal, a Facebook engineer, wrote on a company blog for application developers. “Knowledge of a UID does not enable anyone to access private user information without explicit user consent.”

In a statement, Facebook said that while it would be a challenge to do so, it planned to introduce “new technical systems that will dramatically limit the sharing of user IDs,” and would continue to enforce its policies on outside applications, shutting them down when necessary. It added that the companies that had received the user IDs said they had not made use of them.

Regardless, the problem underscores another challenge facing the company: Facebook has grown so rapidly, in both users and in technical complexity, that it finds it increasingly difficult to control everything that happens on its site. In addition to more than 500 million Facebook users, there are more than one million third-party applications running on the site.

An error has occurred. Please try again later.

You are already subscribed to this email.

The latest information leak was made possible by a quirk in a long-established technical standard used by Web browsers. The standard allows Web sites to record the address of the page a user clicked on to arrive there, a bit of information known as a referrer.

Facebook has been including user IDs in these referrers for some time, and last year technology experts pointed out that user IDs had leaked to advertisers that way. Facebook fixed that this year, but apparently never addressed the problem when it came to referrers used by applications on its site.

“Facebook isn’t benefiting from it, and Facebook is not intentionally leaking this data,” said Christopher Soghoian, a privacy advocate and research fellow at the Center for Applied Cybersecurity Research at Indiana University. “But it is not a trivial thing to re-engineer their systems.”

This year he filed a complaint with the Federal Trade Commission, claiming Google was leaking personal information because search terms appeared in its referrers.

The latest issue may have had particular resonance with Facebook users because the company has been reeling from a series of privacy controversies, in part because it has been subtly pushing users to share data more publicly.

This year, for example, many users complained when Facebook changed the way in which users expressed preferences for certain movies or bands, essentially making it more difficult to keep that information private.

And in May, after a series of complaints from some users and privacy advocates, the company made wholesale changes to its privacy settings.

Mark Zuckerberg, the company’s chief executive, apologized to users, saying the settings were often too complicated for people to understand. Despite the changes, the privacy issue has continued to dog Facebook.

“This is one more straw on the camel’s back that suggests that Facebook needs to think holistically not just about its privacy policies, but also about baking privacy into their technical design,” said Deirdre Mulligan, a privacy expert and professor at the School of Information at the University of California, Berkeley.

A version of this article appears in print on October 19, 2010, on Page B8 of the New York edition with the headline: Facebook Vows to Fix Flaw in Protection of User Data. Order Reprints|Today's Paper|Subscribe